Data Sharing: who do you trust?

Loose Lips Might Ship Sinks Poster

Yesterday I posted my full approval for folks like Apple and Google to know a lot of data about me, specifically from the devices I usually carry around with me. This is in the full knowledge that the full extent of data sharing is open, transparent and that I get notified (at least by Google) if any application on my Android handset is seeking to solicit more data from me, or changing their data sharing policy in any way. With that, I have full confidence that I can opt out if I ever feel the level of intrusion exceeds my comfort levels with the data use; i’m generally very happy if it does improve the level of service delivered to me without downsides.

I’ve only really baulked at one such update, which was a request by LinkedIn to be able to mine the call records of who I contacted, and who I received calls from, on my mobile phone. I felt this was a violation of the use I put their application to, so elected to remove the application from my Nexus 5 instead.

After I posted my note, I had a reply on Facebook from Bruce Stidston, that read:

You’re right, IMHO, up to a point when you say “what’s not to like?”. For me, the bit that’s not to like is scope creep. The NHS, for example, accumulates data on each patient, and that’s (potentially) cool when it’s used to improve patient outcomes by sharing within the NHS. The problem is that as we move into maturity in IT and data collection technologies, we’re not even in infancy when it comes to concepts of privacy. So when some bright spark reckons it’s cool to dish out “aggregated and individually unidentifiable” data to Big Pharma to shore up NHS finances, I need to be right there on the ball to say yay or nay — and that’s in the best-case situation. The real-case situation is they’ll do it anyway and seek forgiveness afterwards. That’s what’s not to like.

I think of this generalised problem as “the tragedy of the techno-morons”. Smart people did amazing things to make impossible things happen — think just for a moment of the layers of wonderful intricacy that make GPS work, which all of us now depend on — and then some Tim Nice-But-Dim (like my MP) who have only just worked out how a bicycle works are entrusted with the powers to sign off huge snowballs of potentially invasive applications for those technologies. I never forget that the guys at BT who decided that deep-packet inspection of private IP datastreams was fine for advertising purposes, have yet to be hauled before the courts.

I think Bruce is 100% correct. It was with some horror that I saw some plans to share my NHS data with commercial organisations, data which was claimed in the headlines to be anonymised but which appeared to contain my date of birth and postcode. The missing cluestick is that a UK postcode routinely covers an average of circa 10 households, and i’m pretty sure i’m the only one in my postcode of my age and gender, and that’s even before my day and month of birth get served up. This is a textbook example of history about to repeat itself, given the people looking at this process are obviously unaware of what happened when AOL released ‘anonymised data’ a few years ago. You only have to Google “AOL data leak” and you’ll probably find top of the list is this Wikipedia article.

The sad fact is that anonymising the data set relies on ensuring an inability to triangulate data, between disparate data sources, to be able to trace records provided back to specific named individuals. The proposals drove a bus straight through this without apparent due care and attention. The side effect of this is then for a commercial entity to be able to positively discriminate against me for the purposes of insurance (which should be a random level tax across a policy holding population) or to undermine my human rights for privacy, freedom of expression or freedom of movement without unwanted side effects.

The meme of “Crisis in the NHS” is not an appropriate one in my view, in that the UK health service is well funded and very efficient compared to the health systems in virtually every major economy. It appears to be being subverted in support of introducing American-style structural changes, where the costs are around double ours per head of population, not universal and yet stuffed with inefficiencies we should have no wish to copy here. With that in mind, seeing the delay in the consultation about data sharing enacted, it came as rather a shock to see this list of data sharing activity that had already taken place without consultation:

Ministers have gone against the findings of their own information governance review and allowed patient-identifiable data from GP records to be used in the NHS outside of the ‘safe havens’ recommended by the Caldicott report for six months.

Health secretary Jeremy Hunt has approved plans for NHS England to waive common confidentiality laws for six months under a legal exemption called section 251, allowing patient identifiable data to be passed to commissioners and support units.

This is despite the safe havens for potentially identifiable patient data recommended by the Government’s own Caldicott2 report published earlier this year not being in operation.

The extent of this sharing is documented here. At the time I first looked at the document of already approved data releases, it ran to 40 pages of A4. It’s currently 459 releases over 48 pages (latest up-to-date here). I fear Bruces “Tim – Nice but Dim” goes by the name of Jeremy Hunt and the damage has been in full flow, despite previous assurances, for some time now. This is an appalling travesty and an apparent violation of the whole basis of UK Data Protection Acts. The Minister should be thoroughly ashamed and, if justice were to be served, should be up in front of the European Court for a fundamental violation of Section 8 of the European Convention of Human Rights (the right to privacy).

It’s also with an equal level of concern that Ministers of the UK Government are also suggested that tax records should be released in a publicly accessible form by HMRC.

I’m all for data to be shared for Medical Research purposes (as suggested by Larry Page), or in support of Government initiatives to undertake projects for the common good of the UK population. My wife Jane already has all her genome stored at 23andMe, as we have full confidence in their data sharing policy and our ability to reverse out if we feel at all uncomfortable in the future. In doing so here in the UK, the folks releasing data should be fully cognizant of the need to ensure the privacy of individuals that may otherwise be subjected to personal or commercial discrimination as a result of provision of data, either directly or from being complicit in allowing triangulation from other sources to the same end result.

Those who don’t learn from history are, as always, destined to repeat it. We should by now know better than that, and have politicians that know likewise.

Blockchain: the ultimate and positive chaotic disruption

Light Bulb Lit Up

The future is here. It’s just not evenly distributed yet“. Those were the words of Tim O’Reilly, owner of O’Reilly, producer of many of the definitive books on software systems and associated conferences. His company’s Radar blog is also noteworthy for it’s excellent peeks into the future of high technology related products and services. One subject seems to pass it by, and I can’t help think the implications are much more significant than people really comprehend yet; that of the technology that sits behind Bitcoin (Bitcoin itself is but a small part of it).

The mechanics of Bitcoin are described in the original Satoshi Nakamoto paper here. Alternatively, an earlier introductory blog post from me.

The main truly disruptive innovation with much wider utility is that of a Blockchain. A public record that is stored across many hundreds or thousands of machines, in hundreds of different legal jurisdictions, but together forming a definitive record of activity without any central control. A sort of ledger that lives in the worlds commons, and operable in a way that ensures a single digital object cannot be “double spent”; only transferred between entities.

Much of the economic activity in the world is currently served by institutions who possess “choke points” through which activity is carried and who charge (in some way) at the gate. If I want to send cash to someone, I typically pay commission or transaction charges to a number of institutions to do so. There are many areas that could be unleashed when transaction costs tend to zero and the record of some activity is stored in a publicly accessible entity without any central control:

  • Proof of Existence. One of the innovations of GIT (the Source Code Control System written by Linux author Linus Torvalds) is that every individual document/file is recorded in it’s database as a “hash”. When any piece of Digital material is passed through this piece of maths, the hash is a 8 byte “signature” that is effectively unique (the change of two random documents having the same hash is circa 1 in 83 million). So, you can immediately see, with very little comparison work, whether two documents are exactly the same or different. Manuel Araoz, a 25-year-old developer in Argentina, uses a blockchain to prove authoritatively that you had a specific document in your possession on a specific date, without having to publicly publish it’s content. The fact that electronic signatures can be part of the document being held (and hashed with the rest of its surrounding content) means that you have a distributed contract “system of record”.
  • Namecoin. The current Domain Name System (DNS) is effectively the web’s telephone directory that translates memorable names (like www.bbc.co.uk) into the Internet Protocol Address(es) at which that web site resides (in this instance, 173.194.115.96 and 10 others). However, the central repositories where this information is stored can be systemically blocked or willingly corrupted by owners of the various choke points, or the governments under whom they operate from a legal jurisdiction perspective. Namecoin is an attempt to mirror the DNS in a widely distributed blockchain, with domain names ending “.bit”, and hence operationally difficult to corrupt or censor. Although I have no useful application for it at this stage, I have already registered “ianwaring.bit” to reserve my presence there.
  • Music Distribution. Following a Kickstarter type model, would you like to buy shares in a specific musicians new song? That way, you’d see a return on your investment if it proved popular and you managed to help promote it widely to a bigger audience. Piracy in reverse! The Blockchain protocol does have the ability to run such Assurance Contracts (ie: this project is funded only if pledges of a specific value are achieved by a certain date, or annulled if the target is not met by then), so there are similar precedents for Venture Capital, or even what has to date been tax funded Government projects for the public good. I sometimes wonder how HS2 would do if the UK Government ran the whole thing as a Kickstarter project, and see if the beneficiaries were willing to put money where their political mouths are!
  • Voting. One of the ultimate choke points where MPs act as a proxy for the voters in a geographic area they represent for a multi-year term. The act of multi-year elections is probably an edge case; it’d be more radical if I could choose when I want my MP to act as my proxy and when I wish to register my share of the decision making process personally instead. I somewhat doubt that folks currently in Westminster would wish to put their constituents in control of their own interests, despite how refreshing and re-engaged we’d feel as a result.
  • Vendor Relationship Management. This is the ultimate result of Doc Searl’s work on VRM, where we ask commercial entities to bid for our business. Given the low or zero transaction cost, you could delegate a lot of the associated work to software agents if the product or service was a commodity. Like a Taxi or self-driving car, as given in this excellent 25 minute talk by Mike Hearn, an ex-Google employee (it is a great talk to listen to – not least the effect when some of the actors in transactions are machines themselves, complete with their own bank accounts and long term trade related decision making). Even Yelp, TripAdvisor or Social Media recommendations would be more plausible if subjected to the authoritative “someone I can trust” standards that the underlying technology can provide.

I’d thoroughly recommend this article on Business Insider, which does a great job of highlighting some of the possibilities.

There are many challenges ahead. Some regulatory (I hope Politicians and our Public Servants do act in our long term best interests, without being victim of the lobbying of interests rendered on the wrong side of , or distorted out of shape, by a drive for our mutual good). Some technology (things like Bitcoin will need improvements to bring down the current 10 minute delay to provide definitive authentication, and to handle an increase in Blockchain size to handle the transaction volumes currently seen by Mastercard and Visa networks). But the potential applications are dizzying both in number and of disruptive impact to everyone.

As Fred Wilson, notable VC, said recently: Let’s go back and revisit the big innovations on the commercial Internet over the past twenty years. TCP/IP, HTTP, The Browser, Search, Social, Mobile, Blockchains. Each one of those innovations drove an investment cycle. Our 2004 fund was built during social. Our 2008 fund was built during social and the emergence of mobile. Our 2012 fund was built during the mobile downturn. And our 2014 fund will be built during the blockchain cycle. I am looking forward to it.

Bitcoin (which I described in greater detail here) was only the start. The main challenge now is one of identity, and protecting it from interlopers. You have to keep your private key insanely private (even to the extent of keeping it off Internet connected machines), as that is your definitive personal identifier that someone else could use to masquerade as the real you everywhere online. At least until something can check your own physiology (it is really you), and your state of mind (you haven’t been sectioned, frail nor threatened), prior to any transaction being authenticated. Or is that what the Apple iWatch will be all about?

So, how do Policing Statistics work?

Metropolitan Police Sign

I know I posted a previous note on the curious measures being handed down to police forces to “reduce crime”. While the police may be able to influence it slightly, in the final analysis they only have direct control over one part of the value chain – that of producing the related statistics (I really don’t think they commit all the crimes on which they are measured!). The much longer post was this: http://www.ianwaring.com/2014/04/05/police-metrics-and-the-missing-comedy-of-the-red-beads/

I’ve just had one of my occasional visits back to “Plumpergeddon” – not recommended in work environments for reasons that will become apparent later – which documents the ebbs and flows of the legal process following a mugging and theft (of a MacBook and a wallet containing a debit card) in London in November 2011. It is, to put it mildly, a shocking story.

The victim of the crime – and owner of the MacBook – had installed a piece of software on his machine that – once he’d enabled a tick box on an associated web site – started to “phone home” at regular intervals. Taking pictures of the person using the computer, shots of what was on the screen at the same time, and both tagged with it’s exact geographic location. He ended up with over 6,000 pictures, including some which showed sale of goods on eBay that matched purchases made on his stolen credit cards.

I’m not sure exactly how the flow of incidents get rolled up into the crime statistics that the Met publish, but having done a quick trawl through the Plumpergeddon Blog, starting at the first post here and (warning: ever more NSFW as the story unfolds, given what the user started paying for and viewing!) moving up to the current status 29 pages later, the count looks like:

  • 1 count of mugging
  • 1 theft of a MacBook Pro Personal Computer, plus Wallet containing Company Debit Card
  • 2 counts of obtaining money (from a cashpoint with a stolen card) by deception
  • 9 counts of obtaining goods (using a stolen debit card, using a PIN) by deception
  • 2 counts of obtaining goods (using a stolen debit card, signing for them) by deception
  • 11 counts of demonstrably selling stolen goods

So, I make that 26 individual crime incidents.

The automated data collection started off within 4 weeks of the theft phoning home (it took one shot of the user, a screenshot and reported location and connection details every 10 minutes of active use). He ended up assembling circa 6,000 pieces of evidence (including screenshots of the person using his MacBook, and screenshots documenting the disposal of the goods purchased with the stolen card using three separate accounts on eBay). All preserved with details of the physical location of the MacBook and the details of the WiFi network it was connected to.

Many ebbs and flows along the way, but the long and short of it was that the case was formally dropped “for lack of evidence”. This was then followed by a brief piece of interest when some media activity started picking up, but it then sort of ebbed away again. In May 2013, news came back as The case file is back with the officer, and the case is closed pending further leads.”

Four weeks ago, the update said:

I Am No Longer the Victim. Apparently. I was told last night in a police station by a Detective Constable that because the £7,000 I was defrauded of was returned by my bank after 3-4 weeks, and the laptop was replaced by my insurance company after 4 months, I am no longer considered the victim for either of those crimes. I was told that my bank and insurance company are now the victims.

I assume this must mean that when a victim of an assault receives compensation, the attackers subsequently go free? Any UK based lawyers, police or other legal types care to shed some light on this obscure logic?

Cynical little me suspects i’m being told this because the police don’t want to pursue charges over those crimes, even though (as most readers will know and as I said in my previous post) I’ve done practically all the legwork for them.

I must admit to be completely appalled that a case like this. Given the amount of evidence submitted, it should have solved a string of fraudulent transactions and matching/associated Sale of Stolen Goods, that could have incremented the Metropolitan Police “crimes solved” counter like  jackpot machine. 26 crimes solved with all the evidence collecting leg work already done for them.

So, where does this case sit on the Metropolitan Police Statistics? Does it count as all 26 incidents “solved” because the insurance company have paid out and the debit card company have reversed the fraudulent transactions?And above all, is the Home Secretary really satisfied that she’s seeing an appropriate action under her “reducing crime” objective here??

The guy is still free and on the streets without any intervention since the day the crimes were committed. Free to become the sort of one-man crime wave that Bill Bratton managed to systematically get off the streets in New York during his first tenure as Police Chief there (I recall from his book The Turnaround that 70 individuals in custody completely changed the complexion of life in that City). Big effect when you can systematically follow up to root causes, as he did then.

However, back in London, I wonder how this string of events are mapped onto the crime statistics being widely published and cited. Any ideas?

Intellectual Property: the best lessons avoid public subsidies

Nixon Follow the Money

One thing I find particularly sad is one of the items my MP sent out on his latest weekly newsletter, in a section entitled “Intellectual Property”. It reads:

Mike Weatherley, Intellectual Property Adviser to the PM, has called on the Prime Minister to establish permanent funding for the newly-formed Police Intellectual Property Crime Unit (PIPCU), which tackles IP crime across the country and is based within the City of London Police. More here, Twitter: @mike_weatherley. In his letter Mike said, “I appreciate that funding for this new unit is not permanent. However, I would like to put on record my support for committing future funding to fighting IP crime and boosting the current level of financial support that is available for PIPCU. As I am sure that you are aware, the creative industries add over £70 billion to our economy each year and so it really is in our national interest to protect that revenue.”

It’s difficult to know where to begin to unpick this, but for me, the immediate red flag is the familiar use of common fallacies to support an argument. A full collection can be found here. The “It’s big so must be protected” doesn’t even start to hold water on further analysis, albeit he’s done everyone a slight favour by not dragging in allegations that to do otherwise is to support terrorism – a line i’ve heard in the past from a spokesman for the “Federation against Copyright Theft” (aka FACT). Effectively, i’d suggest the “creative industries” are choosing a business model built on scarcity, and then asking the general public to subsidise the associated cost of that choice. A civil offence morphed into a criminal one in the vain hope to play King Canute.

I wouldn’t knowing mind the source of that £70 Billion figure, and the geography over which that is spread. These sort of numbers are routinely banded around, but often found to be wanting when traced back to their original source.

A few years back, one commentator noted that you could get five years imprisonment for stealing a Michael Jackson track, while Conrad Murray got four years for killing him. A British guy queued for extradition to the USA for having a web site publishing links to torrent sites, and a Dutch National queued for extradition from Australia to the USA, both of whom have committed no crime in the legal jurisdiction in which they reside. Finishing that same week with SOPA and PIPA legislation shelved for the time being, with the MPAA explicitly reminding US politicians whose pocket they were supposed to be in.

The central allegation coming back is an old chestnut on piracy costing the Entertainment Industry money and/or jobs. Does that really hold up to any scrutiny? Is it not more related to the pace at which material is released into other territories and lining up the economics to put a quality product in the hands of customers willing to buy where there is demand? And to do so at a price point where there is little incentive to invest time and effort to subvert the process??

I think that’s a lesson that Apple helped solve in the early days of iTunes. It’s easy for consumers to do the right thing. Right now, if my wife sees that the latest series of Dallas is airing in the USA, where can she send money to see it now? Answer: nowhere. Would someone like to take her money please? No??

I recall some excellent work done by Claire Enders in the days of Napster. Claire at one point earlier in her career worked on strategy for EMI Music, was adept at turning 500+ pages of BMRB research tables into pithy summaries of Music/Internet/Telco market directions, and was outrageously unPC when numbers she uncovered contradicted public statements by senior media company execs. A joy to listen to. Claire now runs Enders Analysis, and is often on Sky and Bloomberg exercising her “take no prisoners” views. But I digress.

The thing she found was that the only people who suffered any loss from Napster and similar music sharing services were the top 10 artists at each of the 5 or so big record labels. Everyone else benefited, by way of exposure of their music to a wider audience, and related secondary businesses like concerts and merchandise. So, at face value, the RIAA strings were being operated on behalf of 50 or so economic entities in total, some of whom are well known for their adept tax avoidance and deployment of their wealth in offshore tax havens.

That got me thinking. Whose interests are being compromised by the recipients of the aggressive pursuits across the world? Who are these people who are besmirching the reputation of lawmakers in foreign lands by their heavy handed approach to playing King Canute on individuals who will have little impact on the cause they are PR’ing? Why are the amounts being sought so out of proportion to the actual monetary amounts involved??

Clue is to follow the money. In the USA (and which then spills over here), the folks funding the effort are giving major money to politicians. The funds are massive. Chief beneficiary of the politicians spend is the TV Networks. Aren’t the TV networks mainly owned by the few big, vertically integrated media companies? So the money appears to go full circle.

Lest we forget, even Copyright and Patents were put in place as servants of the Public Good. To do the right thing to prevent hoarding of good works that benefit society as a whole. Unfortunately, the public the laws were passed to serve are rarely represented in the reviews that affect their implementation – and their misuse by bodies with agendas that subvert the public good for which they were designed. I think our MPs would do us all greater favours by demanding – at bare minimum – proposals to be more explicit in the aspects or areas of Intellectual Property that they feel need criminal law protection by this Police Unit – and that any which are contingent on a poor choice of business model should be passed back instead to be funded by the party choosing the demonstrably defective business model alone.

Wouldn’t the resources be better spent improving the access, timeliness and expense of content across the world? I suspect (and research bears this out) that most consumers want to do the right thing, and piracy would be a meaningless economic niche. With that, a useful saving to be made in times of austerity, and police could spend their resources doing what the public who fund them to want them to do alone.

Having someone more forward-thinking in government circles – and to push back appropriately – would make the world a better place.